When you imagine hackers and identity thieves violating your privacy, you might think of a pallid, 20-something hacker in a dark basement, wearing a hoodie, gulping Red Bull by the gallon, typing mysterious, high-tech commands rapid-fire on a keyboard to break into your email, social media site, or bank account.
In this scenario, your cyber nemesis is someone who knows tech way better than you do, and abuses that tech to exploit you.
But, having worked in the electronic intelligence field, at NSA and other three-letter agencies, I can tell you that violating—and protecting—your electronic privacy is not really about tech at all, unless you consider the human brain to be tech.
What I mean is this: Protecting your privacy is much more about understanding human behavior than it is about understanding technology. For example, Rob Joyce a former NSA colleague and Chief White House Cybersecurity official, said recently, “Human factors like corporate leadership priorities are at the bottom of almost all of our cyber problems.” Rob should know—he ran Tailored Access Operations at NSA (which, according to Wikipedia “identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States.”)
One particularly problematic “human factor” is use—and misuse—of passwords. A Verizon data breach report estimates that over 80% of hacking incidents stem from stealing, spoofing, or cracking passwords.
Violating—and protecting—your electronic privacy is not really about tech at all, unless you consider the human brain to be tech.
Why are passwords the major Achilles heel in cybersecurity and privacy protection?
Because using and protecting passwords is such a pain that almost everyone engages in bad cyber hygiene with passwords. Examples of bad hygiene are using easily guessed passwords such as “12345,” birthdays, or children’s names, or employing the same password (or variants of it) on 10-20 different accounts.
Although “strong passwords”—such as $%Fth&8H8j9ErQst—that change regularly and are used only for one account—seem like “good cyber hygiene,” in reality strong, frequently changing passwords are a staggeringly dumb idea because users have to put the password on a post-it note that they “cleverly” hide under their desk or store in a file labeled “passwords.” And of course malicious thieves know and and exploit these behaviors.
Protecting your privacy is much more about understanding human behavior than it is about understanding technology.
So what’s the right way to use passwords?
Answer: Don’t use passwords at all.
Instead use biometric access (face recognition is my favorite because it’s easy). I use an app called “LastPass” that uses face recognition* to access all of my accounts (and I have tons of them), so I don’t have to remember (or write down) a zillion passwords. The app took a little work to set up, but once established, made access to my private cyber world super simple.
And simplicity is the key to security, because, the simple truth is that we have to deal with users as we really are, not as we ought be, and who we really are is...well...lazy. Any security system that ignores this simple truth is not one which you should trust to protect your privacy.
*There are several other excellent biometric, two factor authentication apps, such as Authy and Google authenticator. I recommend setting up Two Factor authentication when using such apps (where you use both biometric and SMS or email text confirmation of login).